‘Phishing’ is the term used to describe email sent with the intention of tricking the recipient into divulging personal (often financial) information to the perpetrator.

A recent ISC Diary post provides some examples of recent phishing email received by ISC handler Johannes Ullrich. The associated analysis is helpful for learning how to distinguish legitimate from phishing email.

ISC is the Internet Storm Center, which “provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The site and associated services provide a wealth of information regarding Internet security.

Researchers have already found a vulnerability in Java 7 Update 7, which was only released yesterday. So far all we know is that a report, along with code demonstrating the security hole, have been submitted to Oracle, Java’s developer.

Details on the new Java hole show that it could be used to take over a vulnerable computer. So, once again, users are being urged to disable Java, especially in web browser software.

Your move, Oracle.

UPDATE 2012Sep01: SANS reports that a new email phishing attack exploiting this new Java hole is showing up in the wild. The email appears to be from Microsoft, and is patterned on a recent, legitimate Microsoft email message. The mail contains an URL that – once clicked – sends web browsers to a site that has been infected with the published Java exploit code. Advice to users is the same as usual: be very careful about clicking on any link you don’t know for sure is safe, and consider disabling Java in your web browser.

A new version of the Opera web browser was announced today. Version 12.02 includes some security fixes, as well as some other minor changes.

The Opera blog post announcing version 12.02 also describes a way to avoid potential problems with the recently-announced Java security hole. It involves changing an Opera setting that forces the user to ‘click to play’ for any content provided by a plugin (including Java). With this setting enabled, if you visit a site infected with a Java exploit, the exploit code won’t run unless you specifically allow it. While possibly overkill, this is as good a workaround as we can expect, at least until Oracle issues a fix for the Java hole.

Interestingly, there doesn’t seem to be a list of previous Firefox versions or the corresponding release notes anywhere on the site. But you can find the release notes for a version by replacing ‘15.0’ with any other version number in this URL:http://www.mozilla.org/en-US/firefox/15.0/releasenotes/.

Visitors to my home who want to use our wireless network are often stupefied by the 63-character, hexadecimal WPA2 passcode. In spite of the legitimate security concerns that went into my choice of such a long code, this always embarrasses me. Of course, being embarrassed easily is all part of growing up and being British. (That’s a Monty Python reference in case you didn’t get it.)

The upshot is that no passcode is uncrackable. Your only hope is to make your passcode so long and complex that it can’t be cracked in a reasonable timeframe. Using all of the maximum 63 characters is strongly recommended.

So, laugh all you want, and groan as you struggle to enter that monstrosity, but I’m not going to simplify it just for convenience.

The new vulnerability has already been exploited to develop a working attack that can affect Windows, Linux and MacOS computers to varying degrees. The exploit code is available as part of the controversial Metasploit and Blackhole hacking toolkits. That means we can expect real, web-based attacks to start appearing almost immediately.

Anyone wanting to compromise vulnerable systems need only place the attack code on a web site and wait for those systems to visit the site. In this case, vulnerable systems include just about any Windows or Linux system running a web browser with Java enabled.

Java is typically installed both as a stand-alone runtime environment and as a plugin for web browsers. Both environments are vulnerable to this attack. Java is widely used for a variety of applications, including open source tools like Freemind and Eclipse. Some web sites use Java to provide functionality beyond what’s normally possible with web browsers.

Unfortunately, unless Java’s developer decides to issue an out-of-cycle patch for this vulnerability, it won’t be fixed until the next update cycle, which is scheduled for October 2012.

Recommendations

Standalone, locally-hosted Java applications you’re already using should be safe. Until the vulnerability is patched, we don’t recommend new installations of any Java-based software.

If you don’t use Java, or can live without it until a fix is made available, you can disable it completely in your operating system. However, this is overkill.

Attacks exploiting this vulnerability are much more likely to appear on compromised and nefarious web sites. Navigating your web browser to such a site will almost certainly infect your computer with some kind of malware. Savvy web users already know that care should be exercised when web browsing at any time, but until this security hole is fixed, blindly clicking on web links and browsing to unknown web sites is going to be like playing Russian Roulette. Because of this, many security experts are recommending disabling Java in web browsers, until the flaw is patched.

jrivett’s Tweets

New white paper confirms that compromising encryption (to make law enforcement a bit easier) is a very bad idea. AG and FBI officials are really just advertising their own weakness when they complain about this. techdirt.com/article…

Describing his hobby as 'fun' and saying “I never intended for anyone to get shot and killed”, this serial Swatter will hopefully get 10+ years behind bars for his role in a Kansas death-by-SWAT. krebsonsecurity.com/…